Billington CyberSecurity's innaugural International Summit convened in Washington, DC, on April 6, 2016. Several themes emerged from the presentations, but one of the more interesting was the extent to which the participants saw voluntary, self-organizing collaboration for cyber defense and security as not only positive and productive, but as practically inevitable. When organizations—whether military or civilian, government or private, doesn't much matter—find themselves in situations where they need to cooperate to succeed, they typically find ways of doing so. A number of speakers advocated a pragmatic, experiential approach to developing effective polices and procedures for cyber security. Cooperation is more important than technology, and leaders should concentrate on creating the conditions under which this spontaneous organization can occur.
It was also noteworthy how many of the speakers found unclassified, open-source information to be of very great value. There was a general consensus that over-classification was a problem that needs to be addressed, and an obstacle to effective cooperation. But it was also striking how many thought progress could be made simply by attending to, and using, the vast amount of unclassified information that can already be freely shared.
Apart from two sessions conducted under Chatham House rules and closed to the media, here's an account of the day's discussions. After welcoming remarks from conference organizer Thomas K. Billington, Deputy Secretary Alejandro Mayorkas of the US Department of Homeland Security opened the proceedings with the first keynote address.
Collaboration for Cybersecurity: the View from the Department of Homeland Security
Deputy Secretary Mayorkas (US Department of Homeland Security) began by pointing out that the Department of Homeland Security sees information sharing among government and private actors as the centerpiece of its cyber security work. He regards this as a "curative" as opposed to an "accountability" function.
For such sharing of threat information to work, and for the data shared to be evaluated in a useful way, Secretary Mayorkas believes the community should change the way it views information sharing. Threat information sharing should be considered a public good, not a profit center.
He noted, in response to a question, that information sharing should by no means be confined within national borders. He sees US cooperation with Ukrainian authorities over the electrical grid hack that country sustained last December as an excellent case of such sharing. (Department of Homeland Security Deputy Assistant Secretary for Cybersecurity and Communications Gregory Touhill would speak in detail on this cooperation later in the day.) Secretary Mayorkas has also found US-Israeli cooperation for cyber security both close and gratifyingly productive.
He has no naïve illusions about businesses' need to turn a profit, he said, but he thinks an individualized, competitive approach to cyber security is "myopic." In this case, "a rising tide lifts all boats," and he believes he's seen several examples of this in, for instance, the energy utility and the financial sectors. "The cure of one should be the cure of all," and this mindset would be central to the curative framework he advocates.
In response to a question about profit and public goods, Mayorkas expressed the opinon that one element of the profit stream could become a public good, specifically the cyber threat indicator intelligence stream. This could be pulled from the profit stream without damage to business, in his view.
He sees two obstacles to effective, curative, collaborative security. The first is mistrust, principally mistrust of the government by the private sector. This mistrust is in his opinion to a significant extent the residue of the Snowden leaks. And the second obstacle that's inhibited collaboration has been the "unfortunate" debate over encryption. The best way to overcome such obstacles is experientially. Secretary Mayorkas is particularly encouraged by recent advances in anonymization at the Department of Homeland Security, and he thinks these will advance the cause of information sharing.
Embracing Military Cooperation among Allied and Partner Nations in Cyberspace
Moderated by Tanium's Vice President, Federal, Ralph Kahn, this panel had the following members: Lietenant General Edward Cardon (Commander, US Army Cyber Command), Brigadier General J.M. (Hans) Folmer (Commander, Defense Cyber Command, the Netherlands), Dr. Jill Slay (Director, Australian Centre for Cyber Security, University of New South Wales Canberra), Major General (retired) Earl Matthews (Vice President, Enterprise Security Solutions, Enterprise Services US Public Sector, Hewlett Packard Enterprise), and Vice Admiral (retired) Richard W. Hunt (Vice President, US Business Development, Raytheon).
The panelists began with general observations. General Folmer said that he finds cooperation more important than technology, and this means that cooperative training is very important—it sets the conditions under which cooperative operations can occur. He commended the kind of understanding and cooperation that can emerge against the background of joint training and education. Admiral Hunt advocated joint development of a robust analytical capability. General Matthews seconded Admiral Hunt on analytical capability, and then also noted the growing importance of automation in achieving such capability. General Cardon, taking up the theme of establishing conditions under which effective cooperation can occur, stressed the importance of looking closely at how we set up the networks we use operationally. Dr. Slay reiterated General Folmer's point about the importance of joint education and training.
The global shortage of cyber labor is, moderator Kahn pointed out, a major issue throughout the cyber sector, and is perhaps particularly acute in international coalition contexts. Admiral Hunt thought both user education and increased automation were important in addressing this shortage, but also noted that "we need to generate excitement among the young" about careers in cyber security. Dr. Hill said that the sector has tended to overlook the people with arts degrees (that is, degrees in non-technical or non-applied fields). "Most Australian signal officers have arts degrees," she observed, "and it works for them." This suggests that a proper assessment of relevant skills as well as sound curriculum development will be important to labor force development. General Matthews believed early education to be at least as important as automation.
Nor can retention be ignored as an issue affecting the availability of cyber labor. General Cardon was particularly concerned to communicate that retention of skilled personnel is vital to operational capability. And General Folmer observed that, "Next to education, we should also be aware that our youngsters have competencies we are not aware of. In his experience, cyber challenge are a good way to engage "these youngsters."
The panel was ambivalent about the effect classification has on information sharing. On the one hand, a degree of classification is both positive and inevitable. Dr. Slay thought that classification, especially insofar as it inhibits sharing data internationally, is causing us to waste brainpower. General Matthews thinks there are useful lessons in standardization CERTs in particular could draw from the experience of law enforcement organizations. Much, however, can be done in the unclassified world. General Cardon noted that the very expression "information sharing" tends to make us think in terms of sharing classified intelligence. This is misleading: it's a mistake to ignore the potential of sharing unclassified information.
At the suggestion of moderator Kahn, the panel turned to the issues surrounding attribution. General Cardon regards attribution as vital: "you need to be able to address the demand for action." General Folmer agreed that attribution is key, and added that doing it properly requires a large amount of intelligence. "It's about all sources, not just digital sources." He cited a case in the Netherlands in which human intelligence—HUMINT—enabled the arrest of the perpertrator of a major telecommunications hack.
The last question the panel took up was that of the policy or legislative matters that were important to cyber sharing and cooperation. There was general agreement on the importance of establishing collaboration networks early, so they don't need to be created hastily and on the fly during an operation. General Cardon thinks policy and education generally more problematic than technology for cooperation. Joint exercises, he said (and General Folmer agreed) are the key to developing effective cooperation. Dr. Slay concluded the discussion by emphasizing the importance of developing, understanding, and following operational doctrine.
Cybersecurity in the U.K.: An Update Following the Chancellor's Announcement about a £1.9 Billion Investment over the Next Five Years
Tony Cole, Vice President and Global Government CTO at FireEye, moderated the day's second panel. The two speakers were Dr. Ian Levy (Technical Director Cybersecurity and Resilience, GCHQ) and John Cook (CISO, UK Ministry of Defence). Levy (speaking throughout with exuberant, iconoclastic, irritated glee) pointed out that threat actors have their value propositions. "And it's my job," he said, "to make that suck in the UK." If you can understand what the threat actors are after, and if you can make it difficult for them to get it, well, then, the threat actors can go somewhere else. They're working toward a one-stop shop for all matters cyber in the UK.
Cook observed that the UK's new cyber ecosystem will have implications for contracting, and that they expect them to drive significant architectural improvements.
Levy took up the point about changing the ecosytem, and asked the audience to take distributed denial-of-service (DDoS) as an example. There's no reason why it should exist—"it exists because we're lazy" and let carriers permit spoofing.
Information sharing, Levy thinks, is self-organizing when there are people who can consume and take action on information. Government should facilitate that self-organization, and help the people engaged in it. It shouldn't try to enforce information sharing from top-down. Moreover, Levy said, the information shared "should be useful, not STIX and TAXII for some IP address that might have been in Operation Big & Scary weeks ago."
The TalkTalk hack provided much of the motivation for the UK's new framework. Cook pointed out that security comes down to risk management, and the framework is designed with this in mind. "Box-check compliance," Levi noted, "won't make you secure." And he stressed that attackers use simple methods. Scary talk drives him wild: "'APT' isn't 'advanced persistent threat.' It's 'annoying pernicious toe rag.'" So those who wish to help make information sharing better should, he suggested, "start by being honest."
Five Years After President Obama's International Cyber Strategy…and Five Years Ahead
Christopher Painter, Coordinator for Cyber Issues, US State Department, delivered the morning's final keynote. He began by talking about policy threats—repressive countries that want to draw cyber boundaries around themselves. We now see cyber security as a core policy issue, not just in security, but in human rights, economics, and foreign affairs.
The US has been promoting a strategic framework designed to achieve a peaceful cyberspace. The essential elements of that framework are, first, that international law should apply in cyberspace, and, second, that the international community should develop norms analogous to the rules of armed conflict (there are, he thought, many interesting analogies here—prohibition against hacking CERTs is like prohibition against firing on ambulances). Finally, we seek to promote confidence-building measures, and these measures afford really the only strong analogy to nuclear deterrence.
The US has secured significant UN agreement on these three pillars. The US has also succeeding in getting general agreement among the G-20 to prohibit intellectual property theft. Painter sees the way forward as getting more countries to sign up for this framework.
Another goal of US cyber strategy is combatting cyber crime, working to help countries around the world develop appropriate laws. The Budapest Convention on Cyber Crime is a core convention that's attracting more adherents internationally. The Internet, Painter observed, has grown up with lots of stakeholders, from governments to online wise guys and lots of governments find this troubling. But this multiple stakeholder system is invaluable, and should, the US thinks, take a more extensive role in Internet governance.
Cyberspace, Painter closed, has unique characteristics, but it's not entirely divorced from the physical world. Development and capacity efforts should devote more attention to giving countries the ability to deal with cyber threats, and handle the needs of the burgeoning user base. He stressed that these concerns, these general policy outlines, are enduring. They're not confined to a single Administration, and we should expect to see them continue into the future.
International CERTs: The Next Five Years
Moderated by Susan Wilson (Director, Cyber Solutions, Cyber and Intelligence Mission Solutions Division, Northrop Grumman Mission Systems), this panel's members were Gwen Beauchemin (Director, Canadian Cyber Incident Response Centre, National Cyber Security Directorate, Public Safety Canada, Government of Canada), Larry Zelvin (Director, Cyber Security Fusion Center, CITI), Yurie Ito (Director, Global Coordination Division, Japan CERT, and Executive Director, CyberGreen), Alberto Hasson (Director, Israeli National CERT, Israeli National Cyber Security Authority), an Tom Miller (Chief of Communications, US-CERT, National Cybersecurity and Communications Integration Center, Department of Homeland Security).
Their collective experience and expectations were similar. Canada's Beauchemin thought that within five years sharing alerts will have become a normal activity, and Ito agreed. Ito also thought that CERTs would evolve from their current role and identity as a kind of Internet fire brigade into something much more like cyberspace's Centers for Disease Control. Israel's Hasson thought that the protection CERTs afford ordinary citizens would increase over the next several years. There was general agreement that CERTs needed to promote Internet-of-things security by engaging the entire IT supply chain, and that they faced a challenge common throughout the industry: recrutiing and retaining cyber security talent.
Global Cybersecurity Priorities: a View from Qatar.
The first open afternoon keynote was delivered by Khalid Al-Hashmi, Assistant Under Secretary, Cyber Security, Q-CERT, Government of Qatar.
Secretary Al-Hashmi described Qatar's response to what he called simply "the incidents of 2012." (That it, the August 2012 hack that knocked natural gas producer RasGas offline. The attack on RasGas closely followed the Shamoon hack of Saudi Aramco claimed by the "Cutting Sword of Justice," widely but inconclusively associated with Iran.)
Assessments of the incidents of 2012 led Qatar to organize a series of nationwide cyber security drills (called "STAR"). Secretary Al-Hashmi stressed that the exercises were not competitions. "We intended to be one nation, one team. Mistakes were OK, and there were to be no blame games." The decided to make the exercises voluntary (and even, if possible, fun).
The first drill took almost a year of planning to execute. There was some fear on the part of prospective participants that various weaknesses they might discover could be exposed to their constituents. In response to that concern, Q-CERT created three tracks based on maturity level. The first year's drill had a relatively small beginning, but by the second year, they had attracted some three hundred twenty participants.
Each year used a different scenario. The sessions included both tabletop exercises and drills with machines configured to the particular needs and concerns of a given sector. By the second year, Secretary Al-Hashmi said, different sectors were cooperating with each other as they ran through their parallel scenarios. "Cross-organizational communication was the goal," and by STAR-2 they were seeing it take shape. "It was gratifying to see all the chiefs at one table, finding a way to address the challenges in the tabletop exercise." STAR-3 showed continued growth in participation, and this drill also engaged academics.
An independent assessment by a different ministerial unit found evidence of improvement in compliance. Secretary Al-Hashmi close by stressing again that these exercises have been voluntary, and that he credits much of their success to being voluntary and uncoerced.
In cyberspace, we're driving drunk most of the time.
Chris Inglis, Distinguished Visiting Professor in Cybersecurity Studies, US Naval Academy and former Deputy Director, US National Security Agency, delivered the mid-afternoon keynote. He began by commending without reservation Khalid Al-Hashmi's presentation on Q-CERT, noting that simultaneous invention of sound practices is surprisingly common.
Inglis then noted a problem with respect to corporate cyber security. Boards often don't know what to ask, and either ask the wrong questions or no questions at all. Thus they tend to completely delegate responsibility for cyber security. "This puts them into a perennial tail-chase." To understand cyberspace, one must understand certain formative conditions.
The first condition is the technology itself. The second condition is "the new geography" created by that technology. The third condition is the organization of communities in cyberspace by ideology. This can be both a good and a bad thing—communities of interest are generally positive, but the inspiration of lone wolf terrorists online by people whom they've never met and never will meet is decidedly negative.
And a final, enduring trend is "continuation of disparity"—essentially various inequalities and disaffections in the world. That disparity was once reconciled one way or another in the physical world, but that's no longer the case. "Those disparities exist and are resolved in the presence of an adversary." So cyberspace is technology, people, and process.
All enterprises, Inglis noted, have some proposition, some aspiration. They allocate expectations, demands, accountability, and risk. "And risk can't simply be delegated down." With technology, we've tended to deploy tactics reactively. We should, rather, "figure out the overall security proposition, and then allocate expectations downstream."
Inglis advised that what really matters are the data. "Don't focus on transactions; focus on behavior. See whether the behavior is anomalous in itself. Have you seen it before? Is it normal? Understand the living nature of your system."
He moved to some reflections on the role of education in cultivating the people who live in cyberspace. The assumption, he said, that the rising generation is a generation of digital natives is false and naïve. "They're not digital natives; they're app natives." They don't have a serious understanding of the underlying technology. Do they need that? Perhaps not, but we ought to give them something akin to the muscle memory the driver of a car acquires. "Unfortunately, in cyberspace we're driving drunk most of the time."
At the Naval Academy, all midshipmen take at least two courses in cyber. Their education seeks to bring them to an understanding of the implications their actions, as operators, will have for the networks upon which they depend.
At the end of his talk he took a question about encryption, which he understood (correctly) as an invitation to speak about the issues raised by Apple's dispute with the FBI. Privacy, security, and the pursuit of our legitimate aspirations are, he said, clearly goods, and we should regard encryption itself as a public good. That said, there's much to be worked out in our implemenation of these public goods. And he notes, taking Google's very different approach to privacy—their feeling that they need to see content in order to deliver value—as indicating that the general position in industry is more nuanced and perhaps less monolithically aligned with Apple's principled stance than one might think.
New Innovations in Cybersecurity
The conference's final panel was chaired by CrowdStrike CEO Shawn Henry. As the panelists introduced themselves, a common thread in their interests seemed to be recognition of the importance of mutual support among business, academia, not-for-profits, and government. The speakers were Ida Haisma (Executive Director, Hague Security Delta, the Netherlands), Robert Bigman (President of 2Bsecure, and former CISO of the US Central Intelligence Agency), Ellen Hemmerly (Executive Director, bwtech@UMBC Research and Technology Park), and Joseph Pizzo (Senior Sales Engineer, Securonx).
Halsma opened by noting the complexity of the community of security stakeholders. Cyber security is a public problem that requires both research and investment, "and you need a living laboratory in which you experiment toward a solution."
Hemmerly described her organization's attempts to help start-ups secure funding, and to match start-ups with the kinds of business skills they're likely to lack. "A healthy ecosystem needs not only small, but large, mature companies."
Pizzo descirbed trends in incident response. "We now look at more than just individual devices." We take a predictive approach, and predictive behavioral analytics are important. "We can no longer just collect hard drives and put them on a shelf."
Industry, Bigman said (with due apology to anyone present who might offer the service) has done a disservice to secruity with SIEMs. The SIEM represents a capability to bring in gigabytes of data without also bringing in the capacity to handle and analyze them. "We have to get away from the carnival act (as seen at RSA) of many disconnected solutions. Until we change this, we've stuck with Rube Goldberg."
Haisma, in response to a question about critical infrastructure talked about Hague Security Delta's work to create a common testbed for infrastructure. Hemmerly, for all the importance of large firms in the ecosystem, argues for the importance to innovation of maintaining the entrepreneurial, start-up companies. Pizzo sees signs encouraging signs of security becoming a board issue.
Speaking rather wolfishly, in a Nader-esque, unsafe-at-any-speed mood, Bigman offered his opinion that we won't come close to solving the cyber security problem until we have regulation. "That's how cars got safer. A GS-13 wrote airbags into the regulations, and then no one wanted to take it out, because after all, they'd been widely circulated in draft, and no one wanted to be the person known for getting rid of it." Pizzo acknoweldged that there might be something to this, but he offered a partial demurral about excessive regulation, especially regulation that would criminalize vulnerability research, penetration testing and the like as mere "hacking." Haisma took the last word on the topic: "We've got that in the Netherlands—we call it 'responsible disclosure.'"
Lessons Learned from the Recent Ukrainian Electric Cyber Incident
The conference's final keynote was by Brigadier General (retired) Gregory Touhill, Deputy Assistant Secretary for Cybersecurity, US Department of Homeland Security. He began his talk with a familiar neighborhood watch metaphor. In this case he wants the neighborhood to know what happened in Ukraine.
On December 23, 2015, the lights went out in three distinct Ukrainian power outages. This was a cyber attack, and a well-coordinated one, that affected more than 225,000 customers. The US, Secretary Touhill pointed out, learned of the incident from open media reports and offered assistance to the Ukrainian government.
"Ukraine invited us in," and US teams interviewed technicians and managers who experienced the event. The teams and those they interviewed approached the incident from a risk management perspective. They found that the attackers were unknown outsiders (and there's still no firm attribution). The attackers used stolen credentials to gain remote access to administrative networks, whence they worked their way laterally into linked industrial control system networks.
The three coordinated attacks occurred within thirty minutes. Significantly, the attackers took follow-on actions clearly designed to hinder recovery efforts. The affected utilities were indeed infested with BlackEnergy malware, but BlackEnergy's role, if any, in the attack on the grid remains to this day obscure. (And note—despite its name, BlackEnergy is not confined to energy systems.)
Touhill offered this timeline: The attacks began at 2:30 PM. At 3:30 PM the first company lost power, at 3:31 PM the second company went down, and at 4:06 PM the attack pulled the third company offline. By 5:00 PM the attackers began a telephonic denial-of-service attack to inhibit incident response. At 6:00 PM, datacenter power was cut. Within four to six hours after this, the affected companies had restored power by switching to manual control.
"This was a deliberate, well-thought-out, coordinated attack, and the Ukrainian response was impressively fast. Touhill drew two lessons from Ukraine's experience. First, the vulnerability on display isn't only an electrical grid vulnerability: any sector is exposed to this risk. All critical infrastructure is at risk. The second lesson is that we know how to prevent, or at least minimize, attacks like this. Following certain best practices would have done so, including but not only multifactor authentication, limiting remote access functionality, isolation of control system networks, and devloping and testing contingency plans.
The Summit close with Thomas Billington's thanks, and an invitation to participants to meet again in Detroit on July 22 for the Automotive Cybersecurity Summit, and then to return to Washington on September 13 for the Seventh Annual Billington Cybersecurity Summit.